Severe Silent Circle Blackphone vulnerability lets hackers take over
Researchers have revealed a severe vulnerability in Silent Circle's Blackphone which could allow attackers to take control of the device's functions.
Silent Circle's Blackphone, born after former US National Security Agency (NSA) contractor Edward Snowden exposed the intelligence agency's spying practices on the global stage, is a phone peddled to the privacy-conscious. The Blackphone grants users complete control of app permissions and includes encrypted services such as Silent Phone and Silent Text, designed to prevent surveillance and eavesdropping.
The device runs on PrivatOS, a custom Android build with a set of security-focused tools.
However, no software is completely free of vulnerabilities and bugs, and researchers have recently discovered a flaw in the Blackphone 1 system which could lead to modem tampering and call record surveillance.
Tim Strazzere, Director of Mobile Research at SentinelOne said in a blog post on Wednesday the firm was preparing for a Red Naga training session when they discovered a socket left open on the Blackphone 1 used by SELinux on Android. Strazzere explained:
"There is almost no mention of this socket anywhere on the internet except for file_contexts used by SELinux on Android. It appeared to be for the Nvidia Shield tablet, which is the only other Android device that seems to be used in the wild with an Icera modem and has since been abandoned by Nvidia.
As we dug deeper we found a few applications which interact with this socket, specifically agps_daemon, which has more elevated privileges than a normal shell/app user since it is a system/radio user."
Further exploration led to the discovery that the Nvidia Icera modem binary's privileged process was able to talk directly to the Blackphone modem. Attackers could run as a shell user or use a Web-enabled app to send commands to the modem, leading to a wealth of problems for the user.
See also: Silent Circle Blackphone 2 review: A secure Android phone with a privacy punch
SentinelOne says codes could be sent by an attacker to wreck havoc within the mobile device, including changing call IDs, sending SMS messages without user consent, set call forwarding and preventing incoming calls from showing.
Alongside these potential attacks, threat actors could use other code paths to dial or connect calls -- often leading to freezing -- check the state of calls silently and both view what number the call is connected to and whether it is an incoming or outgoing call, as well as reset APN, SMSC and power settings.
Security
In addition, attackers could force conference calls with other numbers, mute the modem speakers, force or unforce caller ID settings, kill the modem and silently register a call forwarding number which flies under the Blackphone's radar.
Silent Circle was made aware of the flaw in August via crowdsourced bug bounty platform Bugcrowd. On September 10, the vulnerability was assigned the CVE number 20156841 and Silent Circle confirmed the problem by the end of that month.
In early November, Silent Circle patched the problem and issued a financial award for the finding, leading to a mass patch deployment on 7 December 2015. The vulnerability was removed in PrivatOS 1.1.13.
Whether or not a device is focused on security, there will always be vulnerabilities and software issues -- especially as digital warfare and exploits have become big business. You should never consider any device to be completely secure and keep your software and systems up-to-date with the latest patches as soon as they are made available.
In a blog post, Silent Circle said:
"One of the biggest threats with any smartphone is installing apps from untrusted parties. If a malicious App were installed on the phone it could take advantage of this vulnerability. For this reason, Silent Circle provides a countermeasure with Security Center. Security Center lists all Apps on the device and is prompted at each new App install."